On most computer networks, bits of data arranged in bytes are packaged into collections called packets. These packets are generally communicated between computing devices over wired or wireless networks. A suite of communication protocols may be employed to communicate between at least two endpoints over one or more networks. One or more protocols may be layered on top of one another to form a protocol stack. One model for a network communication protocol stack is the Open Systems Interconnection (OSI) model, which defines seven layers of different protocols that cooperatively enable communication over a network. The OSI model layers are arranged in the following order: Physical (1), Data Link (2), Network (3), Transport (4), Session (5), Presentation (6), and Application (7).
Another model for a network communication protocol stack is the Internet Protocol (IP) model, which is also known as the Transmission Control Protocol/Internet Protocol (TCP/IP) model. The TCP/IP model is similar to the OSI model except that it defines four layers instead of seven. The TCP/IP model's four layers for network communication protocol are arranged in the following order: Link (1), Internet (2), Transport (3), and Application (4). To reduce the number of layers from four to seven, the TCP/IP model collapses the OSI model's Application, Presentation, and Session layers into its Application layer. Also, the OSI's Physical layer is either assumed or is collapsed into the TCP/IP model's Link layer. Although some communication protocols may be listed at different numbered or named layers of the TCP/IP model versus the OSI model, both of these models describe stacks that include basically the same protocols. For example, the TCP protocol is listed on the fourth layer of the OSI model and on the third layer of the TCP/IP model. To assess and troubleshoot communicated packets and protocols over a network, different types of network monitors can be employed. One type of network monitor, a “packet sniffer” may be employed to generally monitor and record packets of data as they are communicated over a network. Some packet sniffers can display data included in each packet and provide statistics regarding a monitored stream of packets. Also, some types of network monitors are referred to as “protocol analyzers” in part because they can provide additional analysis of monitored and recorded packets regarding a type of network, communication protocol, or application.
Generally, packet sniffers and protocol analyzers passively monitor network traffic without participating in the communication protocols. In some instances, they receive a copy of each packet on a particular network segment or VLAN from one or more members of the network segment. They may receive these packet copies through a port mirror on a managed Ethernet switch, e.g., a Switched Port Analyzer (SPAN) port, a Roving Analysis Port (RAP), or the like, or combinations thereof. Port mirroring enables analysis and debugging of network communications. Port mirroring can be performed for inbound or outbound traffic (or both) on single or multiple interfaces. In other instances, packet copies may be provided to the network monitors from a specialized network tap or from a software agent running on the client or server. In virtual environments, port mirroring may be performed on a virtual switch that is incorporated within the hypervisor.
In some instances, a proxy is actively arranged between two endpoints, such as a client device and a server device. The proxy intercepts each packet sent by each endpoint and optionally transforms and forwards the payload to the other endpoint. Proxies often enable a variety of additional services such as load balancing, caching, content filtering, and access control. In some instances, the proxy may operate as a network monitor. In other instances, the proxy may forward a copy of the packets to a separate network monitor.
In some networks, packet capture devices may be installed. Packet capture devices may be arranged to capture and store network packets for subsequent analysis. However, the sheer amount of data communicated over networks may result in a prohibitively high number of network packets. Accordingly, packets and/or portions of packets may be selectively captured to reduce data storage requirements. In addition, as information technology infrastructure becomes more complex and more dynamic, there may be numerous packet types and formats for the various different types of network protocols and applications that may be carried on modern networks that it difficult for effective network packet capture. Further, many modern networks or networked applications are increasingly using one or more cryptographic protocols to enable secure connections. Secure connections are designed to provide cryptographically secure communication. In some cases, the cryptographically secure communication may interfere with network monitoring. Thus, it is with respect to these considerations and others that the present invention has been made.